-
Bug
-
Resolution: Fixed
-
P3
-
1.3.0
-
None
-
merlin
-
generic
-
generic
Code in sun.security.pkcs.PKCS7 instantiates a certificate like this:
new sun.security.x509.X509CertImpl(bytes)
This creates an unnecessary dependency on the sun.security.x509 package and should be changed to using the CertificateFactory class from
java.security.cert, which instantiates the certififcate implementation
class of a configured service provider (which corresponds to
sun.security.x509.X509CertImpl in the case of the SUN provider, but
will be a different class in the case of the IBM provider, etc.).
Directly invoking the sun.security.x509.X509CertImpl constructor
instead of using a CertificateFactory is a bug, because it
means that any CodeSource certificates obtained from signed JAR files
will always be instances of sun.security.x509.X509CertImpl, ignoring
any certificate providers that may have been configured with a higher
priority than the SUN provider.
The same argument is true for X509CRLImpl.
new sun.security.x509.X509CertImpl(bytes)
This creates an unnecessary dependency on the sun.security.x509 package and should be changed to using the CertificateFactory class from
java.security.cert, which instantiates the certififcate implementation
class of a configured service provider (which corresponds to
sun.security.x509.X509CertImpl in the case of the SUN provider, but
will be a different class in the case of the IBM provider, etc.).
Directly invoking the sun.security.x509.X509CertImpl constructor
instead of using a CertificateFactory is a bug, because it
means that any CodeSource certificates obtained from signed JAR files
will always be instances of sun.security.x509.X509CertImpl, ignoring
any certificate providers that may have been configured with a higher
priority than the SUN provider.
The same argument is true for X509CRLImpl.